Tricky Sample ? Hack it easy! Applying dynamic binary instrumentation to light-weight malware behavior analysis Maksim Shudrak About Me

Interests BIO

Vulnerabilities Hunting 2018 – present: Senior Offensive Security Researcher Fuzzing 2016: Defended PhD (Vulns Hunting) in Tomsk, Russia Reverse-engineering 2015-2017: Researcher, IBM Research, Haifa, Israel Malware Analysis 2011-2015: Security Researcher, PhD student Dynamic Binary Instrumentation

Projects Drltrace – transparent API-calls tracing for malware analysis https://github.com/mxmssh/drltrace WinHeap Explorer – PoC for heap-based bugs detection in x86 code https://github.com/WinHeapExplorer/WinHeap-Explorer IDAMetrics – IDA plugin for machine code complexity assessment https://github.com/mxmssh/IDAmetrics Outline

● Why Dynamic Analysis? ● Current approaches ● Runtime Overhead vs Visibility ● Dynamic Binary Instrumentation ● Technique Overview ● DBI Frameworks Comparison ● DrLtrace ● How Does It Work ? ● Usage ● Examples & Demo

3 Why dynamic ?

● Obfuscated & packed code hard for static analysis. ● In some cases, we need only a high- level view on malware behavior.

4 Current Situation in Dynamic Analysis

Emulation

(e.g. QEMU+PANDA)

Library Calls Tracing

(e.g. APIMonitor) Visibility

Syscalls Tracing (e.g. ProcMon)

Runtime overhead

5 Emulation. Visibility Example

6 Runtime Overhead. Stalling Code

7 10 min on CPU = 1d08h in emulator

8 Emulation. Visibility Example

9 Syscalls Tracing. Visibility Example

10 API Tracing. Visibility Example

11 Ltrace for Linux

12 Current Situation in Dynamic Analysis

Emulation

? (e.g. QEMU+PANDA)

Library Calls Tracing

(e.g. APIMonitor) Visibility

Syscalls Tracing (e.g. ProcMon)

Runtime overhead

13 Current Situation in Dynamic Analysis

Emulation (e.g. QEMU+PANDA) Dynamic Binary Instrumentation

(e.g. Intel Pin)

Library Calls Tracing

(e.g. APIMonitor) Visibility

Syscalls Tracing (e.g. ProcMon)

Runtime overhead

14

Dynamic Binary Instrumentation (DBI) is a technique of analyzing the behavior of a binary application at runtime through the injection of instrumentation code.

15 Modern DBI Frameworks

DynamoRIO Intel PIN Redistribution Open-source, BSD – license Proprietary model Supported x86, x86-64, ARM, AArch64 x86, x86-64 architectures Supported Linux, Windows, MacOS, Linux, Windows, MacOS, Platforms Android Android Average 108% (no tool) 130% (no tool) runtime overhead 139% (BBs counter) 162% (BBs counter) Language C/C++ C/C++ (some Python wrappers available) Technology Binary code transformation callout/trampolines

16 How Does DynamoRIO Work ? (10000 foot view)

DynamoRIO Application in memory

Launcher Target application

shared system libs

Kernel 17 How Does DynamoRIO Work ? (10000 foot view)

DynamoRIO Application in memory (1) Launch (suspended) Launcher Target application

shared system libs

. .

Kernel 18 How Does DynamoRIO Work ? (10000 foot view)

DynamoRIO Application in memory (1) Launch (suspended) Launcher Target application

(2) shared system libs Inject instrumentation library

Kernel 19 How Does DynamoRIO Work ? (10000 foot view)

DynamoRIO Application in memory (1) Launch (suspended) Launcher Target application

shared system libs (3) Hook entry point DynamoRIO lib + user-defined libs

Kernel 20 How Does DynamoRIO Work ? (10000 foot view)

DynamoRIO Application in memory (1)

Launch (suspended) Launcher Target application

shared system libs (3) (4) Hook entry point DynamoRIO lib + user-defined libs

basic block

Take first basic block basic first Take ins1 ins2 ins3

Kernel 21 How Does DynamoRIO Work ? (10000 foot view)

DynamoRIO Application in memory (1)

Launch (suspended) Launcher Target application

shared system libs (3) (4) Hook entry point DynamoRIO lib + user-defined libs Code cache ins1 DR’s ins1 basic block DR’s ins2 (5) ins2 Take first basic block basic first Take ins1 DR’s ins3 ins2 transformation DR’s ins4 ins3 ins3 DR’s ins5 DR’s ins6

Kernel 22 How Does DynamoRIO Work ? (10000 foot view)

DynamoRIO Application in memory (1)

Launch (suspended)

Launcher Target application Take next basic block basic next Take

shared system libs (3) (4) (6) Hook entry point DynamoRIO lib + user-defined libs Code cache ins1 DR’s ins1 basic block DR’s ins2 (5) ins2 Take first basic block basic first Take ins1 DR’s ins3 ins2 transformation DR’s ins4 ins3 ins3 DR’s ins5 DR’s ins6

Kernel 23 How Does Drltrace Work ? Application in memory

Main module

kernel32.dll

ntdll.dll

DBI engine dynamorio.dll

drltrace.dll

24 How Does Drltrace Work ? Application in memory

Main module

kernel32.dll

ntdll.dll (1)

DBI engine call LoadLibrary Instrument

dynamorio.dll

(1.1) drltrace.dll Setcallback

25 How Does Drltrace Work ? Application in memory

Main module

(2) LoadLibrary(msvcrt.dll)

kernel32.dll

ntdll.dll (1)

DBI engine call LoadLibrary Instrument

dynamorio.dll

(1.1) drltrace.dll Setcallback

26 How Does Drltrace Work ? Application in memory

Main module

(2) LoadLibrary(msvcrt.dll)

kernel32.dll

ntdll.dll (1)

msvcrt.dll (being loaded)

DBI engine call LoadLibrary Instrument

(3) dynamorio.dll

(1.1) drltrace.dll

Setcallback Instrument exported functions exported Instrument

27 DynamoRIO and Drltracelib in The Memory of Calculator

28 Usage drltrace.exe –logdir . – malware.exe Why DrLtrace Rock

● Support x86 and x64 (ARM in future).

30 Why DrLtrace Rock

● Support x86 and x64 (ARM in future). ● Support Windows and Linux (macOS in future).

31 Why DrLtrace Rock

● Support x86 and x64 (ARM in future). ● Support Windows and Linux (macOS in future). ● Support self-modifying code.

32 Why DrLtrace Rock

● Support x86 and x64 (ARM in future). ● Support Windows and Linux (macOS in future). ● Support self-modifying code. ● Support all types of library API calls (static and dynamic).

33 Why DrLtrace Rock

● Support x86 and x64 (ARM in future). ● Support Windows and Linux (macOS in future). ● Support self-modifying code. ● Support all types of library API calls (static and dynamic). ● Not-detectable by standard malware anti-research techniques (anti-hooking, anti-debugging and anti- emulation).

34 Why DrLtrace Rock

● Support x86 and x64 (ARM in future). ● Support Windows and Linux (macOS in future). ● Support self-modifying code. ● Support all types of library API calls (static and dynamic). ● Not-detectable by standard malware anti-research techniques (anti-hooking, anti-debugging and anti- emulation). ● External configuration file to add new API calls.

35 Why DrLtrace Rock

● Support x86 and x64 (ARM in future). ● Support Windows and Linux (macOS in future). ● Support self-modifying code. ● Support all types of library API calls (static and dynamic). ● Not-detectable by standard malware anti-research techniques (anti-hooking, anti-debugging and anti- emulation). ● External configuration file to add new API calls. ● Easy-to-use (no additional dependencies, no heavy- weight GUI). 36 Why DrLtrace Rock

● Support x86 and x64 (ARM in future). ● Support Windows and Linux (macOS in future). ● Support self-modifying code. ● Support all types of library API calls (static and dynamic). ● Not-detectable by standard malware anti-research techniques (anti-hooking, anti-debugging and anti- emulation). ● External configuration file to add new API calls. ● Easy-to-use (no additional dependencies, no heavy- weight GUI). ● Open-source (BSD-license). 37 Runtime Overhead

50 44,6 45 43,3

40 37,2 35 32

30 25,6 25 22 20,2 20 16,5 14,7 15

RUNTIME OVERHEAD RUNTIME 10 10

5

0

PowerPoint Word Calculator Internet Explorer VMWare IDA PRO StarCraft II Dropbox Chrome Notepad++ 38 Launcher Example 1. EmbusteBot

● Type - Brazilian Banking Trojan ● Language - Delphi ● Main Functionality – Keylogger, Screenshots capturing ● Obfuscation – time-based anti-research checks, encryption of sensitive strings, no code packing ● Operation period – (2017 – present)

Report- https://securityintelligence.com/brazilian-malware-never-sleeps-meet-embustebot/ More details - https://github.com/mxmssh/drltrace/wiki/Malware-Analysis-Examples

39

Example 1. EmbusteBot drltrace.exe -logdir . -print_ret_addr – vdeis.exe

40 Example I. EmbusteBot. Searching for Tab with Bank Name

41 Example I. EmbusteBot. Screenshots Capturing and Keylogging API Calls

42 Example I. EmbusteBot. Trigger

43 Example II. Gootkit Loader

● Type : Banking Trojan ● Language : C ● Main Functionality: Unpack actual payload loader, deliver Gootkit malware on victim’s machine ● Obfuscation: anti-VM, anti-debugging, anti-emulation, time-based anti-research, packed payload, machine- code obfuscation, anti-sandboxing. ● Operation period: (2014 – present)

Technical report - https://drive.google.com/file/d/0BzFSoGMCVlTORUExdF9RTklpX3c/view More details - https://github.com/mxmssh/drltrace/wiki/Malware-Analysis-Examples 44 Example II. Gootkit Loader drltrace.exe -logdir . -print_ret_addr -- 477c305~f01.exe

45 Example II. Gootkit Loader. Unpacking

46 Example II. Gootkit Loader. Process Hollowing. New Process Creation

47 Example II. Gootkit Loader. Process Hollowing. New Section

48 Example II. Gootkit Loader. Process Hollowing. Write & Resume

49 Example II. Gootkit Loader

50 Example II. Gootkit Loader

51 Example II. Gootkit Loader

52

DEMO. NotPetya/PetrWrap

53

54 Drltrace. API calls visualization script python api_calls_vis.py -i wannacry.jpeg -gr -t drltrace_log_wannacry.log

55 Drltrace. API calls visualization script python api_calls_vis.py -ht wannacry.html -gr -t drltrace_log_wannacry.log

56 Future Work

● Make DynamoRIO more resistant against anti-DBI tricks. ● Add heuristics to search for certain (YARA rules?) malicious patterns in logs. ● ARM and macOS. ● Attach drltrace into running process

57 Conclusion

● Dynamic binary instrumentation is a reasonable trade-off for dynamic malware analysis. ● Drltrace is the first efficient and light-weight solution for API calls tracing in modern sophisticated malicious samples based on DBI technique. ● The solution allowed to revel in several minutes a lot of internal technical details about malicious sample without even starting IDA or debugger.

58

Thank you! https://github.com/mxmssh/drltrace

https://www.linkedin.com/in/mshudrak https://twitter.com/MShudrak